Skip links

Now Mandiant says 2021 was a record year for exploited zero-day security bugs

The number of zero-day vulnerabilities exploited in the wild reached an all-time high last year, according to Mandiant.

The security shop identified 80 such actively abused flaws in 2021, which Mandiant researcher James Sadowski noted is more than double the previous zero-day record from 2019.

This echoes another zero-day report also published this week by Google. However, the cloud giant’s bug hunters spotted 58, compared to Mandiant’s 80 recorded instances.

Similar to Mandiant’s 2020 analysis, in 2021 state-sponsored groups exploited the most zero-day security bugs, and once again Chinese cyber espionage groups racked up the largest number of zero-days: eight. In fact, China has exploited more zero-days than any other nation since 2021, according to Mandiant’s research. Western nations, such as the US and UK, are either good at hiding their exploitation, use few zero-day flaws, or are curiously absent from these lists, we note.

“We observed an increase in the number of nations likely exploiting zero-days, particularly over the last several years, and at least 10 separate countries likely exploited zero-days since 2012,” Sadowski wrote.

The Microsoft Exchange server zero-days proved to be a boon for Beijing’s spies, and Mandiant observed “multiple Chinese espionage activity clusters” abusing these four programming blunders between January and March 2021.

Beijing cyber spies lead the pack

Microsoft, which named the miscreants Hafnium, said the cybercriminals were exploiting these zero-days to steal data from US-based defense contractors, law firms, and infectious disease researchers. 

And in Mandiant’s year-end zero-day analysis, Sadowski noted China’s cyber espionage activities over the last two years “suggest that Beijing is no longer deterred by formal government statements and indictments from victimized countries.”

“In addition to the resurgence of previously dormant cyber espionage groups indicted by the US Department of Justice, Chinese espionage groups have become increasingly brash,” he added.

Interestingly, Mandiant did not identify any zero-day exploits used by Russian GRU-sponsored APT28, also known as Fancy Bear, until they “likely” exploited a Microsoft Excel zero-day late last year. 

“However, open-source reporting indicated that other Russian state-sponsored actors exploited several zero-days in 2020 and 2021, including during likely Russian Temp.Isotope’s activity possibly targeting critical infrastructure networks with a zero-day in a Sophos firewall product,” Sadowski wrote.

He’s talking about Russia-linked cyber-spy gang Temp.Isotope, also referred to as Berserk Bear or Energetic Bear. This crew is known for abusing Microsoft’s SMB protocol to infiltrate energy and industrial sectors. 

In all, Russia was responsible for two zero-day exploits in 2021. In addition to China and Russia, North Korea pulled off one of these attacks last year.

In total, the security researchers analyzed zero-day vulnerabilities from 12 vendors last year, and found Microsoft, Apple and Google products comprised 75 percent of the exploits in 2021. 

Sadowski noted that these companies’ popularity makes them easy targets for cybercriminals, and that miscreants will keep targeting these big names because of their prevalence in the market.

Financially motivated gangs coalesce around ransomware

And while state-sponsored groups were responsible for using the most exploits, Mandiant observed a growing number of financially motivated gangs targeting zero-days last years. Between 2014 and 2018, the threat intel team only traced “a small proportion” of financially motivated criminals exploiting zero-days. But that changed in 2021, when about one-third of the exploits were used for financially motivated attacks.

In fact, since about 2019 “criminal underground coalesced around ransomware [PDF] operations,” according to Sadowski. This may indicate that ransomware rings are beginning to recruit or buy skills needed to exploit zero-days. The Conti leaks, which exploded details about that crime ring’s recruiting and hiring activities, supports this theory.

Mandiant has also documented [PDF] the increase in the number of ransomware attacks and their size and scope.

What’s next?

As zero-day exploits become more accessible (for a price) to more state-sponsored and financially motivated cybercriminals through ransomware-as-a-service operations and researchers selling exploits, the risk for organizations across industries and geographies expands.

“While exploitation peaked in 2021, there are indications that the pace of exploitation of new zero-days slowed in the latter half of the year; however, zero-day exploitation is still occurring at an elevated rate compared to previous years,” Sadowski noted.

In other words: don’t act like we’re out of the woods. Apply patches and prioritize known exploited vulnerabilities, he added. Build a defense-in-depth strategy. Pay attention to CISA and other federal enforcement agencies’ security alerts. And hopefully 2022 will look better for the defenders. ®